Search for unlabeled device files [+Docs]

This patch adds tasks to search for device files without SELinux labels and
prints a list of those devices in the Ansible output.

Documentation is included.

Implements: blueprint security-rhel7-stig
Change-Id: Ic870f91ead4e89189efb8ad93674798063c97ba8

doc/metadata/rhel7/RHEL-07-020940.rst

@@ -1,7 +1,19 @@
 ---
 id: RHEL-07-020940
-status: not implemented
-tag: misc
+status: implemented - red hat only
+tag: lsm
 ---
 
-This STIG requirement is not yet implemented.
+The tasks in the security role examine the SELinux contexts on each device file
+found on the system. Any devices without appropriate labels are printed in
+the Ansible output.
+
+Deployers should investigate the unlabeled devices and ensure that the correct
+labels are applied for the class of device.
+
+.. note::
+
+    This change applies only to CentOS or Red Hat Enterprise Linux systems
+    since they rely on SELinux as their default Linux Security Module (LSM).
+    Ubuntu systems use AppArmor, which uses policy files rather than labels
+    applied to individual files.

tasks/rhel7stig/lsm.yml

@@ -51,3 +51,33 @@
     - high
     - RHEL-07-020210
     - RHEL-07-020211
+
+# NOTE(mhayden): Ansible's find module doesn't support searching for files
+# based on SELinux contexts yet.
+- name: Check for unlabeled device files
+  command: "find /dev -context '*unlabeled_t*'"
+  register: unlabeled_devices
+  changed_when: False
+  check_mode: no
+  when:
+    - ansible_os_family == 'RedHat'
+  tags:
+    - lsm
+    - medium
+    - RHEL-07-020940
+
+- name: RHEL-07-020940 - All system device files must be correctly labeled to prevent unauthorized modification.
+  debug:
+    msg: |
+      Devices were found without SELinux labels:
+      {% for device in unlabeled_devices.stdout_lines %}
+      {{ device }}
+      {% endfor %}
+  when:
+    - ansible_os_family == 'RedHat'
+    - unlabeled_devices.stdout is defined
+    - unlabeled_devices.stdout | length > 0
+  tags:
+    - lsm
+    - medium
+    - RHEL-07-020940